With about 1.5 billion Gmail accounts to its name, about one year ago Google launched an investigation into Gmail account hijacking.

The tech beast found that phishing presents far more risks than data breaches, in which email addresses and passwords are stolen.

Google carried out the study in conjunction with the University of California, Berkeley.
  • Searched public hacker forums
  • Scanned paste sites in which stolen details are posted
  • Accessed several private hacker forums

These searches revealed:
  • 1.9 billion credentials exposed by data breaches
  • The hacked sites included MySpace, Adobe, LinkedIn, Dropbox and several dating sites.
  • Most of credentials found were being traded on private hacker forums

Clearly almost 2 billion stolen credentials is an enormous number. Yet Google discovered:
  • Only seven percent of credentials exposed in data breaches matched passwords used by Gmail users
  • 25% of 3.8 million credentials exposed in phishing attacks matched current Google passwords

As a result the study concluded that:
  • Victims of phishing are 400 times more likely to have their account hijacked
  • This figure falls to 10 times for victims of a data breach

Phishing collects more information

Phishing victims are more likely to have their email accounts hijacked because:
  • Phishing kits contain pre-packaged fake login pages for popular and valuable sites, such as Gmail, Yahoo, Hotmail, and online banking.
  • These pages are often uploaded to compromised websites and automatically capture email credentials and transfer them to the attacker
  • Phishing attacks capture more information such as users login, such as victim's geolocation, secret questions, phone numbers and device identifiers

As a result, it’s hardly surprising that phishing attacks are considered more dangerous than data breaches; hackers are gaining valuable nuggets of information they can exploit.

Interestingly, the research also discovered:
  • 83 percent of 10,000 phishing kits collect victims' geolocation
  • 18 percent collect phone numbers

BullGuard protects your computer from spies, hackers and malware


The phishing baddies

The study also discovered that:
  • 41 percent of phishing kit users are from Nigeria
  • The next biggest group is US phishing-kit users, who account for 11 percent

Interestingly, the researchers also discovered that Gmail accounts are popular among phishing skanksters:
  • 72 percent of the phishing kits use a Gmail account to send captured credentials to the attacker.
  • In contrast only 6.8 percent of phishing kits use Yahoo

However, alarmingly:
The phishing kits were sending 234,887 potentially valid credentials every week. That’s a lot.

  • Gmail users also represent the largest group of phishing victims, accounting for 27 percent of the total in the study.
  • Yahoo phishing victims follow at 12 percent. However,
  • That said Yahoo and Hotmail users are the largest group of leaked credential victims, both representing 19 percent, followed by Gmail at 12 percent.

Stop that phishing

The researchers noted that two-factor authentication can mitigate the threat of phishing.
  • This is a process in which you add a mobile number to your email account.
  • When you access your account, you sign in and enter your password. You then receive a PIN code on your mobile by SMS.
  • You enter this PIN code to access your email account.